Secure Mail Reading on Mac OS X

Apple has been evolving Mail.app, OS X's bundled email client, at about the same pace as the rest of the system.

I've always appreciated the program for its solid IMAP support (rather a rare attribute among mail clients in general). But recently I've started to like it even more since it began supporting super-secure mail-reading protocols that help to stop bad guys from nabbing my passwords.

In this article I describe a danger inherent in most mail-reading methods, and ways to work around it on OS X, using the Mail program. I'll also give you a brief tour of some SSH client tools that subtly stow away in the Mac OS X distribution.

Cleartext Passwords: Bad Thing

If you've hung out around paranoid hackers as long as I have (which is to say, enough to become one yourself), then you're likely familiar with the distinction between cleartext and ciphertext. "Cleartext" refers to any information devoid of encryption. Transmitting cleartext over a network, especially the all-seeing Internet, can result in tragedy if that information falls in the wrong hands.

Security-conscious folk know that any snoop with the will and the resources can listen in to your outgoing network traffic (be they the unscrupulous dudes in that white van parked across the street while you use your wireless network, or shadowy G-men with a tap on your ISP's routers) and reconstruct all your online activities. Any text you send shows up clear as day -- unless you encrypt it. In this case, your intended recipient has some way to turn your message into something readable, but during transit it's unreadable gobbledygook, and that's all any eavesdropping party, listening in the middle, will get.

Unfortunately, it's likely that you place your own network security at risk several times a day, by tossing one of your passwords around in a distinctly non-gobbledygooky fashion. If you use a mail client such as Mail.app to download and read mail from another server, chances are that the username and password you use to authenticate these transactions travel over the Internet as cleartext every time that your client opens a new session with that server. Should a shady entity choose to capture this information, the consequences to your network identity can turn tragic.

Not even high-profile mail encryption technologies like PGP can defend against this sort of attack. While they do a nice job mangling the text that makes up the actual email, they hold no sway over the lower-level communication between your Mac and your mail server. You instead need to encrypt your entire online session with the mail server. This can prove a tricky business, but for Mac OS X users it's becoming a progressively easier exercise with each revision of the operating system.

Mac OS X and Encryption

In the year or so that OS X has been on shelves, Apple has been gently nudging the OS (and its users) to favoring secure, encrypted communication protocols over clear ones. This has perhaps been most obvious in Mac OS X's increasingly warm relationship with SSH, the secure shell, a protocol for using key-based encryption to allow all sorts of secure communication with other machines. It's most commonly used for interactive sessions to shells on remote machines, making it an easy and very attractive alternative to the venerable but outrageously insecure Telnet.

With system version 10.0.1, Apple began including OpenSSH software with the distribution, both its client (which you can invoke with a simple 'ssh' on Terminal's command line) and its server (sshd, the SSH daemon). As of version 10.1, checking the "Allow remote login" checkbox under the Application tab of the Sharing preferences pane launches an SSH daemon on your Mac to accept logins from afar, instead of a Telnet daemon. (You can still set up your Mac for Telnet access, of course, by groveling over it on the command line, via Terminal. Apple simply displays its silent, matronly disapproval of such activity by not giving you any easy way to do it. And, granted, it has a point in this case.)

Relatedly, with OS X 10.1.3 Apple has upgraded Mail.app to allow connections over SSL, the secure socket layer, another sort of encryption technology (and one you may have heard of in other contexts, particularly with Web pages). Both of the major mail-reading protocols that Mail supports, POP and IMAP, have SSL-enabled variants (sometimes known as POPS and IMAPS), and more clue-in ISPs have mail servers that can speak one or both of these more obscure protocols.

Mail Fetching Over SSL

Before you can start using these secure protocols, you've got to find out if your mail host supports them. You can always just ask your ISP about it, of course. The nerdier way (and perhaps the only one available after business hours) involves poking at the mail host's ports by hand, and seeing if they bite back. If you're not shy about using Terminal, try these commands (naturally replacing my-mailhost.net with the address of your mail host):

If you get any response beyond flat refusal, things are looking good; you can probably continue with the instructions in this section, using the default port numbers. Otherwise, ask your ISP if they support POPS or IMAPS, and if so, what port numbers these services run on.

Configuring Mail for SSL

The only tricky business on the Mac's end of things lies in the fact that Mail doesn't really advertise its capability for SSL connections, nor does it use it by default with any mail account. Activating SSL for any existing POP or IMAP account is pretty easy, though: just call up the "Account Options" tab in that account's setup dialog (which you can invoke via Mail's Preferences) and check the "Use SSL" checkbox.

If the value of the "Port" text field was already the default port number or POP or IMAP (110 and 143, respectively) then it will snap to the SSL-flavored default port for the same type of protocol (995 for POPS, 993 for IMAPS). If the field held any other value, though, Mail will figure that this mail server must have a penchant for unusual port numbering, and won't try guessing it. With most any mail server, the defaults should do nicely, but it may behoove you to get the port numbers from the mail services you'd like to use from your ISP.